top of page
Edward Vargas

HRSA 340B Audit Guide - 340B Compliance & Program Integrity


A professional reviewing financial report detail

A Manager's Guide for HRSA 340B Audits, Program Integrity, and Compliance

The 340B program is complex, and maintaining accurate records is essential for success! If you're a program manager, you know this all too well. But are you confident your records would stand up to a Health Resources and Services Administration (HRSA) audit? Let's review what you need to know about maintaining auditable records for 340B compliance.


340B Program Changes for Covered Entities

In the past couple of years, the 340B drug pricing program has seen some changes in record-keeping and program requirements. Edward Vargas, founder of Virtue 340B, points out a significant update: "One of the data elements on the HRSA data request list is to provide proof of an independent audit of your contract pharmacies." You must show evidence that an external auditor has reviewed your contract pharmacy operations.


But why are these records so important? Simply put, they're your defense against potential program removal. Vargas warns, "The most severe penalty would be removal from the 340B program." He adds that in past years, some covered entities did, in fact, lose their eligibility and had to repay manufacturers for compliance violations under section 340B, as outlined in the HRSA Office of Pharmacy Affairs.


The good news? Severe penalties have become less common in recent years. Vargas explains, "We've seen less and less of it. And it's primarily due to the 340B industry's acceptance of engaging third-party administrative vendors to help facilitate the program."


Understanding 340B Auditable Records

Essential 340B Program Documentation, Auditable Records, and Regulatory Requirements

When it comes to 340B auditable records, HRSA has specific requirements. We can break these down into two main categories:

  1. In-house Administrative Records

  2. Operational Information


To ensure compliance with 340B program requirements and maintain readiness for HRSA audits, covered entities must maintain comprehensive in-house administrative records. These documents, important for demonstrating program integrity to the Office of Pharmacy Affairs (OPA), include:

  • Policies and procedures

  • Eligibility documentation (Medicare cost report for hospitals, federal grants for grantees)

  • Provider lists

  • Contract pharmacy documentation (agreements, oversight, filters for claim adjudication)


340B Drug Inventory and Utilization Records:

Managing 340B drug inventory and utilization records is essential for covered entities to assess compliance and avoid non-compliance issues during HRSA audits. These records, which are critical for ensuring program integrity and adhering to 340B pricing requirements, include:

  • Records of all drugs administered or dispensed (quantities, patient IDs, associated payers)

  • Purchasing documentation (list of 340B drugs purchased from the wholesaler with pricing details)


See our article on how to Master Your 340B Purchasing Universe


Your policies and procedures are one of the core backbones covered entities can lean on when operating in one of those gray areas that could be perceived differently by the stakeholders assessing you.


The Role of Software in Maintaining Auditable Records

While software is important in managing 340B records, you can't rely on software alone. Most software platforms handle two primary data sets:

  1. Utilization records

  2. Purchasing history


However, these systems typically don't manage other essential documents, like policies and procedures. In the grand scheme of things, those are the two primary buckets that they are responsible for.


Some vendors are expanding their capabilities, but it's still vital for covered entities to manage their administrative records independently. Covered entities that can integrate their EMR system with their software vendors and/or have found independent ways to extract reports and reconcile reporting from their software vendors are best practices and ultimately lead to successful risk mitigation of their program.


Remember, while software can significantly help with record-keeping, you must ensure all aspects of your 340B program are properly documented and easily accessible for HRSA’s 340B audits.


Key Components of 340B Auditable Records

Essential Documentation and Record-Keeping

Maintaining comprehensive 340B records isn't just about ticking boxes; it's about creating a robust system that can withstand scrutiny. Edward Vargas recommends "implementing a systematic storage, document storage, and retrieval process."


Here's what you need to focus on when ensuring compliance with the 340B program and preparing for HRSA's 340B audits:

  1. Centralized Database: Create a specific area for all your 340B auditable records. This makes retrieval easier during audits.

  2. Standardized Naming Conventions: Vargas emphasizes this point, especially for contract pharmacy service agreements. "Those are common ones: You typically have an original agreement, and then as the years go on, there are amendments and addendums issued on it," he explains. A consistent naming system helps track these changes over time.

  3. Regular Updates: Review and update your records at least annually to ensure ongoing 340B program compliance. This is particularly important for eligibility documents.

  4. Periodic Internal Audits: Conduct these to spot and fix any discrepancies early.

  5. Digital Record Keeping: Use digital tools to improve the accessibility and security of your documents.


Vargas shares a practical tip: "Covered entities that are dedicated to conducting regular audits and tracking their findings often have more robust auditable record documentation and ability to substantiate it."


Learn more about Virtue 340B's Expert Consulting Services


The Power of Policies and Procedures

Don't underestimate the importance of well-documented policies and procedures. These are the backbone of each covered entity's program. Let's share a real-world example:


One of the largest litigation cases that settled in recent years involved (among other things) 340B captured prescriptions for patients who hadn't been seen by the entity that was capturing the prescription in two or even up to three years. During a HRSA 340B program audit, this practice was flagged as non-compliant with their interpretation of eligible-patient definition requirements.


However, the covered entity took an unprecedented step. Instead of accepting the audit results, they challenged HRSA's findings in court. Their defense, in part, hinged on their documented policies and procedures, which explicitly stated that they considered an eligible patient visit to be extended for up to three years.


This case highlights several critical aspects of 340B program audits and compliance:

  1. The importance of clear, comprehensive policies and procedures

  2. The role of patient definition in 340B eligibility

  3. The potential for covered entities to challenge HRSA's audit findings

  4. The impact of well-documented practices on audit outcomes


Ultimately, the court sided with the covered entity, erasing HRSA's findings. This landmark case has significant implications for how covered outpatient drugs are managed under the 340B program, potentially influencing future interpretations of patient eligibility and the scope of contract pharmacy arrangements.


It's worth noting that this case may change how the Office of Pharmacy Affairs (OPA) and HRSA audits covered entities in the future. It also emphasizes the need for covered entities to ensure their policies comply with 340B requirements and are clearly documented to support their practices in case of an audit or legal challenge.


This case powerfully reminds us of the importance of robust policies and procedures in maintaining 340B program compliance and successfully navigating the audit process.


Maintaining Data Integrity

Data Accuracy and Techniques

Data integrity is the cornerstone of 340B compliance. Covered entities must ensure that they dispense drugs only to eligible patients and maintain program integrity.


Here's why it matters:

  1. Audit Defense: Both HRSA and manufacturers can request audits. Without solid data integrity, you're starting on the back foot.

  2. Preventing Violations: Good data helps prevent diversion and duplicate discounts.

  3. Transparency: It supports accountability throughout your organization.


To ensure data accuracy, Virtue 340B recommends:


Regular Data Audits and Reconciliations:

Keep a close eye on purchases and dispenses to identify systemic control gaps.


Robust Data Management Software

Integrate your electronic medical record (EMR) system with other vendor platforms. Remember, your EMR is ultimately the source of your truth for patient eligibility.


Automated Tools

Implement tools to track and report 340B transactions automatically. This could include scheduling monthly reports or developing automation to test data integrity.


Staff Training

Train your team on proper data entry and management practices. Vargas says, "That's typically where the fault occurs."


Understanding 340B Compliance Vendor Reports

One challenge Vargas highlights is the difficulty in understanding reports from software vendors. He explains, "Sometimes even the end user at the covered entity level doesn't completely understand the reports they're running for themselves."


This becomes more complex when dealing with multiple vendors. Any covered entity that employs or contracts with multiple contract pharmacies is most likely also contracted with multiple TPA vendors, where they might perform the same function, but how they do it and how you can report out of their system differs across each.


To overcome this, ensure your team is well-trained in each vendor's reporting system. Don't hesitate to ask vendors for clarification or additional training if needed. Remember, you can't manage what you don't understand.


Preparing for HRSA Audits

Self-Audit Techniques and Readiness Checklist

Preparing for a HRSA audit isn't a last-minute scramble—it's an ongoing process. Establish a regular audit schedule and clearly define the scope period you assess.


Here's how to conduct effective internal 340b audits:

  1. Define Your Scope: Be clear about your auditing period.

  2. Review Policies and Procedures: Vargas stresses, "Ensure that they reflect your actual operations." This isn't just about compliance—it's your defense in gray areas.

  3. Verify Data Accuracy: Check your drug inventory and purchase records for completeness.

  4. Assess Eligibility: Review patient and provider eligibility for 340B transactions.

  5. Document and Act: Record all findings and implement corrective actions.


Vargas recommends using a Management Action Register: "It's basically a table of findings during an audit, corrective action that needs to be taken, who's responsible. And it's a way to track audit findings and recommendations."



Your audit readiness checklist should include the following:

  • Up-to-date policies and procedures

  • Comprehensive 340B drug transaction and inventory records

  • Provider eligibility and contract pharmacy agreement documentation

  • Internal and external audit findings with corrective action plans

  • Evidence of Medicaid Duplicate Discount prevention measures


Remember, HRSA now requires proof of independent audits for contract pharmacies. Vargas notes, "All our audit reports include a cover page with all those elements."


Learn more about Virtue 340B's Independent 340B Audit Services


340B Program Audit Challenges and Solutions

Common Independent Audit Challenges and Practical Solutions

Even the most diligent 340B managers face challenges, including several common hurdles:

  1. Data Volume and Accuracy: One of the largest challenges folks have is ensuring the accuracy and completeness of their large volumes of data.

  2. Understanding Vendor Reports: "Sometimes even the end user at the covered entity level doesn't completely understand the reports they're running for themselves," Vargas notes.

  3. Keeping Up with Changes: There haven’t necessarily been specific compliance changes in the 340B program, but various manufacturer policies are currently in litigation, and it’s important to understand when they will go into effect.

  4. Managing Records Across Multiple Sites: This is particularly challenging for non-hospital entities. Vargas explains, "These non-hospital entities don't always have a system-wide electronic medical record that is universal. Some folks still rely on paper logs at clinic sites."

  5. Preventing Diversion and Duplicate Discounts: This remains an ongoing challenge for many covered entities.


To overcome these challenges, Virtue 340B suggests several strategies:

  1. Implement Automated Systems: Use automation for data management and reconciliation.

  2. Regular Staff Training: Keep your team updated on compliance requirements and industry changes.

  3. Clear Protocols: Establish clear data entry and record-keeping guidelines.

  4. Vendor Communication: Maintain open lines of communication with your TPA partners and vendors.

  5. Leverage Internal Resources: Leveraging your non-340B teams, such as an internal audit or corporate compliance team, to help provide an internal but independent assessment.



Vargas shares a cautionary tale about the importance of proper exclusion criteria: "There was more than one covered entity that I've audited in the past that simply wasn't excluding any Medicaid Fee-For-Service or managed care plans from their capture. Their contract pharmacy and TPA vendor partners didn't proactively identify it for whatever reason. And, you know, it resulted in having to repay manufacturers for over six months and up to over a year in a couple of instances."


On the flip side, he's also seen success stories: "There are a couple of covered entities that I've audited this year that really had things aligned from A to Z, strong policies and procedures, strong record-keeping naming conventions."


Vargas offers a practical tip for assessing a covered entity's dedication to oversight: "If I'm auditing a client that has 30 contract pharmacies from eight different pharmacy chains, and they upload their contracts to me, and there are 50 PDF files with all types of naming conventions across them, and I've got to click into each one just to see who it's applicable for and match it up, versus a client that gives me an upload of 50 contract pharmacy documents saved in separate folders according to the pharmacy chain and dated with pharmacy name and date of the agreement. It's usually a good identifier that the utilization records will also be pretty clean."


By addressing these challenges head-on and implementing robust solutions, you can significantly improve your 340B record-keeping practices and be better prepared for audits.


Explore how Virtue can help Continuously Monitor your 340B Program


Conclusion

Maintaining auditable records for 340B compliance isn't just about satisfying regulators—it's about ensuring the integrity and sustainability of your program. Let's recap the key points:

  1. Implement a systematic storage and retrieval process for your records.

  2. Develop clear, comprehensive policies and procedures that reflect your operations.

  3. Ensure data integrity through regular audits, reconciliations, and staff training.

  4. Prepare for audits with a robust readiness checklist and regular self-audits.

  5. Address common challenges head-on with practical solutions like automation and clear protocols.


Remember, the consequences of poor record-keeping can be severe. As Vargas warned, the worst-case scenario could lead to "removal from the 340B program" and having to "repay manufacturers" for compliance violations. Don't let your organization become a cautionary tale.


Looking ahead, Vargas notes, "Several legislative proposals in recent years have increased transparency requirements for covered entities to demonstrate their use of savings and program impact." This means the importance of maintaining auditable records will only grow in the coming years.



Need Help? Reach out to Virtue 340B for an Independent 340B Audit

If you're feeling overwhelmed by the complexities of 340B record-keeping, you're not alone. Many covered entities struggle with these challenges. That's where Virtue 340B comes in.


The purpose of conducting an internal audit or independent audit is to assess you and give you a roadmap for how to get in line moving forward. Virtue 340B offers comprehensive auditing services, including a unique "340B Policies and Procedures Roadmap" that gives the covered entity a tabled assessment of their policies and procedures for adherence to the HRSA audit requirements.


Don't wait for an HRSA audit to reveal gaps in your record-keeping. Proactively managing your 340B program can save you from headaches—and potentially severe penalties—down the road. Contact Virtue 340B today for expert guidance on maintaining auditable records and ensuring 340B compliance.


Remember, in 340B, good record-keeping isn't just about compliance—it's about demonstrating your commitment to the program's integrity and ability to serve your patients effectively. With the right approach and expert support, you can turn your 340B record-keeping from a challenge into a strength.


Ready to master your 340B program? Get your copy of 340B Mastery today!


bottom of page